Archive

Principles Are More Important Than Tactics

Security doesn’t come from the specific things you do. It comes from an overall approach to doing everything. In that sense, the principles that underpin your decisions and actions matter more than the decisions and actions themselves. Those statements may seem inscrutable or contradictory so I owe you further explanation.

Process and procedure can never be made so that they will, in isolation, provide optimum security. Even for very well thought out, nearly comprehensive tactics unplanned events will always come up. You’ll have to make decisions when there’s no written plan and no precedent. When you’re making those decisions you need to weigh all the factors you can take into account and move forward based on your judgement. Your judgement here is a point-in-time reflection of your principles. If your principles fail you, so will your judgement and you’d have to get lucky for your decision to be the right one.

In most organizations, processes and procedures leave a lot of room for decision making. It’s not just the occasional judgement call that has to be made, these usually happen on a daily basis at most levels of the organization. So strong tactics but poor principles will compound over time and erode even the best security program.

Instead, focus on coming up with strong principles, and make sure everyone knows them. Clear communication, understanding and internalization is key to having principles, not just tactics. This way whenever any decision is made, there’s a good chance that the judgement behind it is sound. This also, by the way, will push decision-making down in the organization, freeing up management to tackle larger and more strategic issues and critical problems.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Business is About Taking Risks

One of the fundamental things that drives our economy is risk-taking. That’s the natural inclination of the most successful business people I’ve met. There’s risk in both going in a new direction – what you might call “venture risk” – that separates the promising businesses from the failing.

Let’s look at an example to better illustrate the point. Suppose we have two otherwise identical chair makers, making identical chairs. One day they overhear someone mentioning that having a cup holder built into the chair would be a good thing. That’s never been done before, so there’s a risk in making something different. Now one maker takes a venture risk and builds his next line of chairs with a cup holder and it’s a hit, selling twice as many as before and even commanding a premium. The risk-averse chair maker sticks with the old design and sees a drop off in sales. The venture risk-seeking businessman wins. Enough of these successful venture risk decisions and he drives the other chair maker out of business.

But thinking back on the same situation, it’s possible to see that the risk-averse chair maker is also taking a risk. His risk is that failure to innovate will drive his company out of business. Now, his is actually what we would see traditionally as the safer bet. But expanding on the scenario just a little bit it’s possible to show that the status-quo is actually riskier. All you have to do is assume that some day a better chair will be created and put into production. This virtual certainty also virtually guarantees that the risk-averse chair maker will eventually go broke.

Most businesses today are a far cry from this idealized chair maker – even the chair making industry. But the vignette translates well to the highly risk-averse attitudes of many CISOs and other information security professionals today. They try to eliminate all security risk, but in doing so they virtually doom the enterprise to certain failure. That’s why they’re often perceived as ineffective. Instead, CISOs should help their companies make smart decisions and help protect against security, privacy and compliance threats when taking venture risks.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Cultivate Understanding
This is the opposite of running around trying to inform everybody of what you think is the biggest problem. It means getting with them to understand what their problems are, where their risk prioritization is and then find out where your concerns fit in there. Maybe they’re already aware of the threat and aren’t concerned; or maybe they have a way to mitigate it you hadn’t thought of; or maybe they need to listen, but don’t trust Infosec yet. By bringing the business into the Infosec decision making process, there’s more trust, more chance they’ll listen when you talk, more chance you’ll have the right answer for their needs and usually that all means more budget, plus more willingness to go along with what you want!

Example: I know of a company that was going into China to open R&D centers. The CISO was trying to say “no we shouldn’t, it’s too risky because somebody could steal our IP.” But the business knew this – their strategy around it was to lean on other assets like brand reputation (which is actually fairly well protected in China) to prevent against that. In other words, lost IP wouldn’t necessarily translate into lost revenue or profits. In another company the BOD wanted to have their updates and formal reports delivered to an iPad. The CISO worked with Finance to say yes because the costs of securing the digital distribution were less and results better than securing the hard copies. IT and Security helped save money, reduce risk and got a high visibility win for the company.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with companies large and small. If you like what you read, come back for more!